Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Limited permission API keys #667

Closed
wants to merge 8 commits into from
Closed
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 29 additions & 0 deletions features/api_keys.feature
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,10 @@ Feature: API Keys
API keys are used to make authenticated requests by sending an HTTP Basic
Auth header, using the key as the username, with no password.

API keys by default have full access to perform any operation on your
marketplace. You can create API keys with limited permissions that have
restricted access.

Scenario: Create an API Key for a new marketplace
To obtain a key, one must be created. This is done through an
unauthenticated API request.
Expand Down Expand Up @@ -48,3 +52,28 @@ Feature: API Keys
When I DELETE to /api_keys/:api_key giving the key
Then I should get a 204 OK status code
And there should be no response body

Scenario: Create an API key with limited permissions
By specifying permissions for a key you can restrict the operations that
it is able to perform to either being able to write (POST, DELETE, and PUT)
or read (GET) to a set of endpoints.

Given I have created an API key
When I POST to /api_keys with the body:
"""
{
"api_keys": [{
"permissions": {
"/customers": "rw",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

would it make more since to make this resource base rather then path based, since you could potently create a debit using /cards/asdf/debits or /customers/asdf/debits

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

something like

{
    "permissions": {
        "customers.index": "r",
        "customers.CU123123": "w",
         "cards.create": "w"
    }
}

?

i'd like to see some examples on the syntax since i think the above example is not complete.

i feel like the path way is quite straight forward since i could do { "permissions": "/customers/CU123*" } to allow all operations on a customer (debit, credit, associate a funding instrument).

"/debits": "r"
}
}]
}
"""
Then I should get a 201 Created status code
And the response is valid according to the "api_keys" schema
When I POST to /customers
Then I should get a 201 Created status code
And the response is valid according to the "customers" schema
When I POST to /debits
Then I should get a 401 Unauthorized status code
5 changes: 4 additions & 1 deletion fixtures/_models/api_key.json
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,10 @@
"type": "object",
"properties": {},
"additionalProperties": false
}
},
"permissions": {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

add this to the required array

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

"type": "object",
}
},
"required": [
"id",
Expand Down